Unlike other threats currently facing the country, cyber attacks can have instant, wide-ranging consequences for the nation’s broader national and economic security interests. The targets of these attacks can vary – with some focusing on networks belonging to large organizations and others preying on individual Americans. Given this unprecedented and rapidly escalating threat, both government and industry leaders must play a role in educating their employees and constituents to identify and deter online dangers. To make the Internet a safer place for all Americans, government and industry must share in the responsibility to promote heightened awareness about cyber security and safer online practices.
In support of this, we have provided a high-level overview of some key information to assist with heightening awareness. Also review the Awareness FAQ page.
The main groups launching cyber-attacks are: organized crime, Hacktivists, Nation States, Terrorists and Insiders. And while these groups haven’t changed much over the past 12 months, their techniques have.
Criminal: The financial services sector continues to be the most-targeted by organized crime, which aims to pilfer sensitive information that can quickly be monetized.
Hacktivists: Groups or individuals that are looking to make some type of a social or political statement frequently attempt denial of service type attacks on networks.
Nation States: Foreign intelligence services, on the other hand, target multiple sectors, from government to manufacturing and energy to communications, in order to extract data that can be shared with industries in their specific countries.
Terrorists: The other main threat, terrorist organizations, seek to disrupt critical infrastructure and cause harm to, in particular, the United States.
Insiders: Insider threats are of such a serious nature due to the fact that someone on the inside already has physical access and likely a network user account. Many of these will be unintended, as they will be the result of a worker attempting a personal online activity but inadvertently breaching company security. This will include a wide range of social engineering attacks that result in data leakage or remote access for the hacker. Unfortunately, there will likely be an increase of intentional malicious actions on the part of employees. Outside hackers spend considerable time and effort to gain logical or physical access to a network. Your workers already have both. While a typical worker can choose to perform malicious actions or be tricked into them, it is also true that a hacker can go undercover and be hired by your organization.
The reality is: The offense outpaces the defense, so they’ve been able to adapt and to overcome, even against what we would consider to be some of the most resilient defenses. The following list is a representative sample of some of the methods used:
Social Engineering: A euphemism for non-technical or low-technology means—such as lies, impersonation, tricks, bribes, blackmail, and threats—used to attack information systems. Sometimes telemarketers or unethical employees employ such tactics. Social engineering targets the weak link of security; namely its employees. People are always the last line of defense as they can choose to, be coerced to, or be tricked into violating security.
DoS: The prevention of authorized access to a system resource or the delaying of system operations and functions. Often this occurs because of a large volume of data requests.
Watering Hole: In watering hole attacks, the bad guys poison a website frequented by you and/or your company with the express goal of compromising your environment. Either the hacker maliciously modifies the website code itself so that malware is sprung on the user or some desired object on the website is poisoned. For example, hackers may maliciously modify a trusted applet, and when downloaded by visitors, it opens a backdoor or installs other malware.
Exploiting vulnerabilities: Unfortunately in many computing environments there are vulnerabilities that can be, and frequently are, exploited by the “bad guys”. Some examples include out of date (unpatched) software, weak passwords, mis-configured systems (servers, firewalls, desktops, etc), poorly managed access control and insecure protocols such as lack of encryption for sensitive data.
The impacts of a cyber attack on an organization can be devastating. The following list gives some examples:
- Product development and use, including information on test results, system designs, product manuals, parts lists and simulation technologies;
- Manufacturing procedures, such as descriptions of proprietary processes, standards and waste management processes;
- Business plans, such as information on contract negotiation positions and product pricing, legal events, mergers, joint ventures and acquisitions;
- Policy positions and analysis, such as white papers, and agendas and minutes from meetings involving high-ranking personnel;
- E-mails of high-ranking employees;
- User credentials and network architecture information.
Other significant impacts, to the community could include, interruptions to critical infrastructure such as electrical power grids, water and transportation systems, oil pipelines, refineries and power-generation plants. Beyond inconvenience exists the potential for catastrophic loss of life and destruction of property.
So an example of a typical “cascade effect” of an attack would be: When transformers fail, so too will water distribution, waste management, transportation, communications, and many emergency and government services. People who take medicines that required refrigeration will quickly face the prospect of going without those drugs. Given that an average of twelve month lead time is required to replace a damaged transformer today with a new one, if we had a mass damage of that scale at a local or regional level, the economic and society disruption would be enormous.
Ensure you have a comprehensive cyber security program in place. This should include a robust awareness program for your employees since they are one of the weakest links for exploits. The program should ideally have a “defense-in-depth” approach meaning a systematic, multi-level set of administrative, management and technical controls. Depending on what industry you are in, there are also regulatory requirements to be met, such as PCI, SOX, HIPAA or FISMA. However compliance doesn’t necessarily mean totally secure. Your program should contain the following key elements to provide a higher degree of security and lower your risk of impact.
1) Corporate Information Risk Management
2) Home and Mobile Connections
3) User Education and Awareness
4) User Privilege Management
5) Removable Media Control
6) Activity Monitoring
7) Secure Configurations
8) Malware Protection
9) Network Security
10) Incident Management
Security Predictions for 2016
This article is a great look at security predictions for 2016.